Automated Android Penetration Test Command Generator: Parse AndroidManifest to Create Drozer Payloads

Tool Overview

DrozerForge is a Python utility that parses an Android app’s AndroidManifest.xml and automatically generates Drozer console commands for identified attack surfaces.

Core Features

Global scan for allowBackup, debuggable and potential StrandHogg task‑hijacking configurations.

Exported‑activity detection with one‑click commands for privilege‑escalation or page‑bypass testing.

Deep‑link extraction from WebView components; builds malicious URIs for arbitrary redirect, XSS or RCE testing.

DoS fuzzing payloads for Service/Receiver components, including a NullPointerException trigger.

Content‑Provider analysis; generates directory‑traversal ( ../../etc/hosts) and SQL‑injection test commands.

Noise reduction that filters normal MAIN launch activities.

Dependency

Optional installation of defusedxml protects against XXE attacks in malicious manifests:

pip install defusedxml

Implementation Overview (DrozerForge.py)

The script defines parse_android_manifest(xml_file), which loads the XML (using defusedxml.ElementTree when available) and extracts Android namespace attributes such as exported, debuggable, allowBackup, etc. It then walks the document to collect:

Activities : determines export status, task affinity, launch mode, and intent filters to identify MAIN activities, exported activities, and deep‑link data.

Services & Receivers : determines export status, skips system‑level permissions (e.g., BIND_ACCESSIBILITY_SERVICE), and records the first action for DoS fuzzing.

Content Providers : evaluates exported and grantUriPermissions, extracts authorities, and flags potential directory‑traversal or SQL‑injection vectors.

A helper check_exported(node, comp_type="") returns a boolean export flag and the list of intent filters, handling the special case where the exported attribute may be omitted for providers.

Result Presentation

The print_results function formats findings with colored console output. Example commands:

dz> run app.activity.start --component com.example.app com.example.app.MainActivity

Deep‑link testing constructs a URI such as {scheme}://{host}{path}?url=http://hacker.com and runs:

dz> run app.activity.start --action android.intent.action.VIEW --data-uri "{uri}"

DoS fuzzing for a service uses:

dz> run app.service.start --component com.example.app com.example.app.MyService --extra string testFuzz null

Content‑Provider enumeration includes traversal and injection scans, e.g.:

dz> run app.provider.read content://{authority}/../../../../etc/hosts
 dz> run scanner.provider.traversal -a com.example.app
 dz> run scanner.provider.injection -a com.example.app

Execution Flow

The script uses argparse to accept an optional -f/--file argument (default AndroidManifest.xml). After parsing, it calls parse_android_manifest and, if successful, passes the results to print_results. The entry point is guarded by if __name__ == "__main__":.

Repository

Source code and releases: https://github.com/hsggg/DrozerForge/tree/main